How Worried Should Android Users Be About The Secret Keys Found In Google Play?

As an Android user, I will be worried to some extent about the findings until some patch or remediation is implemented to not expose the secret keys. The magnitude will not be the same as the recent SSL heartbleed vulnerability, which had a much greater impact.

Let’s first understand what the secret keys are and determine how the consumers are affected and the general best practices.

What are secret keys? Think of secret key like a password. Service to service communication is usually authenticated with secret tokens that are known only by the involved parties (provider and consumer). As a best practice, secret tokens should never be shared and should be stored on trusted servers in a secure zone where they can be properly safeguarded with appropriate defenses and monitoring mechanisms.

What can be done with the secret keys? Per the report, Android applications contained thousands of leaked secret authentication keys, which in turn can be used by malicious users to gain unauthorized access to server resources through Amazon Web Services and compromise user accounts on Facebook.

How did they use the search engine to probe and figure out the AWS tokens? The study made use of this crawler to index and analyze over 1M apps and explored the issue of service authentication mechanisms resulting in malicious users being able to gain unauthorized access to user data and resources.

For the users who download AWS through Google play, they will be definitely affected. AWS API is accessed with an “Access KeyID” which starts with the substring “AKIA” revealing AWS tokens. To extract authentication tokens, we created a flexible framework that searches for secret tokens in the decompiled Java source files of apps using reg exp.

To test the validity of tokens through iteration, the study sent authentication requests to their respective providers. The study results showed that even after 5 months, 94% of the 308 unique tokens were still valid.

Exposure of the AWS tokens can provide access to existing AWS resources.

An attacker could potentially setup a botnet of AWS EC2 instances.

The tokens embedded in the applications were found to be root-level credentials providing access to all the other AWS services, including creating and shutting down EC2 instances or freely accessing S3 data, which is more scary.

Besides the steps taken, Amazon recognizes the risks of embedding secret keys in Android applications and actively advises developers against this practice in their Android SDK documentation as well.

How did they use search to capture the Facebook and OAuth credentials? A third-party can register his application with an OAuth provider to receive OAuth client credentials consisting of a (client_id, client_secret) key pair.

After granting permissions to the third party application, the third-party client receives an access token that can be used to read the user’s Facebook friend list or post on his public feed.

When implemented correctly, the OAuth authentication protocol never reveals the tokens associated with a client’s OAuth credentials. The tokens are stored on the third- party’s server where it can be properly safeguarded.

Developers often adapt this protocol to mobile applications by embedding OAuth tokens directly into their mobile applications without realizing their credentials are easily compromised through decompilation.

The use of hardened cryptographic hardware products to protect the private keys.

Rotate the keys and tokens on a periodic basis.

If you are an Amazon AWS customer, continue to access through a secure zone from a corporate environment rather than using from Google play.

Next steps:

Amazon started identifying their affected customers based on the list of tokens this study provided, and they also started reaching out and working with their customers to resolve the security issues. Be on the lookout if you are a affected customer!

Google plans to add checks and automated notices to developers for these specific issues as part of the Google Play application publication process

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.